Forgot your password?
typodupeerror
Security IT

How Allan Scherr Hacked Around the First Computer Password 89

Posted by timothy
from the used-his-onion dept.
New submitter MikeatWired writes "If you're like most people, you're annoyed by passwords. So who's to blame? Who invented the computer password? They probably arrived at MIT in the mid-1960s, when researchers built a massive time-sharing computer called CTSS. Technology changes. But, then again, it doesn't, writes Bob McMillan. Twenty-five years after the fact, Allan Scherr, a Ph.D. researcher at MIT in the early '60s, came clean about the earliest documented case of password theft. In the spring of 1962, Scherr was looking for a way to bump up his usage time on CTSS. He had been allotted four hours per week, but it wasn't nearly enough time to run the detailed performance simulations he'd designed for the new computer system. So he simply printed out all of the passwords stored on the system. 'There was a way to request files to be printed offline by submitting a punched card,' he remembered in a pamphlet (PDF) written last year to commemorate the invention of the CTSS. 'Late one Friday night, I submitted a request to print the password files and very early Saturday morning went to the file cabinet where printouts were placed and took the listing.' To spread the guilt around, Scherr then handed the passwords over to other users. One of them — J.C.R. Licklieder — promptly started logging into the account of the computer lab's director Robert Fano, and leaving 'taunting messages' behind."
This discussion has been archived. No new comments can be posted.

How Allan Scherr Hacked Around the First Computer Password

Comments Filter:
  • More on CTSS (Score:5, Interesting)

    by Anonymous Coward on Friday January 27, 2012 @09:17PM (#38847477)

    CTSS is notable for a lot of things. Like having the first e-mail, and the first spam.

    http://opinionator.blogs.nytimes.com/2011/06/19/did-my-brother-invent-e-mail-with-tom-van-vleck-part-one/

    The first documented hacking occurred earlier, to make certain networking-esque programs work.

    • Or something like that.

  • Twenty-five years after the fact?

    Try fifty...

    • by MightyYar (622222) on Friday January 27, 2012 @09:31PM (#38847529)

      I know I shouldn't tell someone with a 5-digit id to RTFA, but here I go anyway... FTFA:

      Scherr left MIT in May 1965 to take a job at IBM, but 25 years later he confessed to Professor Fano in person. “He assured me that my Ph.D. would not be revoked.”

      • by martin-boundary (547041) on Friday January 27, 2012 @10:40PM (#38847797)

        He assured me that my Ph.D. would not be revoked

        Uh, uh. But now the DHS knows what he did...

        • But it was before they wrote any computer crime statutes, so he is good.
        • He assured me that my Ph.D. would not be revoked

          Uh, uh. But now the DHS knows what he did...

          Allan Scherr: [holds up his doctorate] Ph.D immunity!

          [DHS slowly rolls its head on its neck, takes aim, and fires - his bullet goes through Allan's wallet, and then his head]

          DHS: It's just been revoked!

      • by 93 Escort Wagon (326346) on Friday January 27, 2012 @11:34PM (#38847955)

        I know I shouldn't tell someone with a 5-digit id to RTFA, but here I go anyway... FTFA:

        Scherr left MIT in May 1965 to take a job at IBM, but 25 years later he confessed to Professor Fano in person. “He assured me that my Ph.D. would not be revoked.”

        Okay, so to sum up:

        Slashdot just posted a 25-year-old story.

        • by fotoguzzi (230256)

          I know I shouldn't tell someone with a 5-digit id to RTFA, but here I go anyway... FTFA:

          Scherr left MIT in May 1965 to take a job at IBM, but 25 years later he confessed to Professor Fano in person. “He assured me that my Ph.D. would not be revoked.”

          Okay, so to sum up:

          Slashdot just posted a 25-year-old story.

          Actually, a 22-year-old story about an incident which took place 25 years previously. Something to tell your grandkids about.

        • by hawk (1151)

          You must be new around here . . . :)

          hawk

      • by osu-neko (2604)

        I know I shouldn't tell someone with a 5-digit id to RTFA...

        Yeah, you should. These younger users are often hard of reading...

    • by Zibodiz (2160038)
      What are you talking about? My mom was born in the early '60s, and everyone knows she's 25. Just ask her!
    • by pjt33 (739471)

      If you think that's impressive, TFS also says that CTSS was built in the "mid-1960s", and Scherr stole the password file "in the early '60s", specifically "in the spring of 1962". Hacking into a system that hasn't been built yet is pretty impressive. I wasn't surprised when I checked the "editor" and saw that it was Timothy.

  • On a telephone switch is a phone number a password?

    In encryption is a keyphrase a password?

    Regarding a bank account is your signature a password?

    Is the file system address to a specific terminal a password?

    I am so confuse.
    • by pbjones (315127) on Friday January 27, 2012 @09:41PM (#38847573)

      it's a route, the way to connect to your phone. A password is more like a key, if you have one then you can get into your whatever.

      Worst password/pin. A telephone system at a major event many years ago, each journalist was given a unique 4 digit pin, they enter it and get dialtone and dial. Took about 10 seconds for them to workout that they could just pump in 4 digit codes until they got dial tone and they were then using other peoples accounts. Or the Video store software that stored passwords in plain text in a file called PW.TXT.

      • ....or the crippleware my high school used on Windows 98 to prevent unauthorized users from modifying anything. Except, it allowed the user to set the wallpaper from Internet Explorer, but not the display console.

        Fun ensued when the students set the goatse man as the wallpaper and the teachers couldn't change it because they didn't have the password.

        I quickly learned that the password was stored in plain text in the registry (that I could view, but not edit) and would change the wallpaper back to a blank b

        • by bartoku (922448)
          While the registry trick was a nice find, why not just use Internet Explorer to set the wallpaper to something else?
          • Because you had to set the wallpaper to something with Internet Explorer. They wanted the background to be a solid blue. Typically, I would set the wallpaper using Internet Explorer to remove the offending image and then set it to blue afterwords.
            • by Sulphur (1548251)

              Because you had to set the wallpaper to something with Internet Explorer. They wanted the background to be a solid blue. Typically, I would set the wallpaper using Internet Explorer to remove the offending image and then set it to blue afterwords.

              The blue screen background of happiness.

        • by wierd_w (1375923)

          Sadly, when I was a tyke in HS, we were the last pre-internet generation.

          However, hilarity *did* ensue when I showed the other gifted kids how to change the desktop pictures and system sounds on the native powermacs the school was using.

          Never did I ever imagine the inventiveness that schoolkids could invoke from something as horrible as clarisworks.... never in a million years. It was like graphitti in a newyork subway. Every workstation in the school was vandalized in a different and unique way.

          It wasn't

          • by EETech1 (1179269)

            The gifted kids getting to spend extra (un-monitored) time in the computer lab was a great idea. We were the only ones that could make it work anyways.

            With practically no one having a computer, much less a clue how to use it, the teachers needed input on how to incorporate them into a class, so they let us have our way with it, to figure out what a student could do with it. Which lessons were fun, any thoughts on what a 6th grade kid could put in a database. How come this won't save. We were middle schoo

            • by pjt33 (739471)

              Do you have a floppy drive in that safe too? If not, rush out to the shops now.

              • by EETech1 (1179269)

                Not in the safe, but in my box o goodies. Too bad you couldn't buy a good one for the last 10 years or so. Mine is fairly new, but I've seen plenty of them die under very light use. Just don't build them the same when you don't run them for 6 hours straight installing the OS from 49 different disks:)

                I did try reading them in my old DOS box, and they still worked! I copied them into my circle of backups so I have the data in more than one place now!

                Cheers

                • by Fancia (710007)
                  Glad you backed them up. Floppies have a pretty short lifespan! Worries me when I see people keeping around old floppies assuming they'll be able to get the data off them later when they eventually want to.
      • A phone number could be considered a "key" to a specific phone
  • by Alien Being (18488) on Friday January 27, 2012 @10:10PM (#38847683)

    The next thing you know, cardpunches will be declared to be terrorist tools.

    • by dbc (135354) on Friday January 27, 2012 @10:55PM (#38847845)

      A card punch launched from a trebuchet could do some serious damage. They are big and heavy.

      Tell you what, though, the chad is an *outstanding* terrorist tool :) Going through the student keypunch room with a garbage bag, emptying all the chad bins, gets you enough annoying confetti to last a long time. Go through somebody's closet, and put chad in every pocket of everything he owns. Months later he will still be picking the stuff out. Sprinkle it liberally into the pages of various books. And 2 or 3 handfuls in the bed is always a winner.

      My sister the artist still laments the passing of card punches. Back in the days of card punches she was into paper mache, and the chad makes excellent paper mache, and is zero labor. Just chuck a few handfuls into the paste and get to work.

      • From the paper data days. Journalist visits IBM. As he ascends, the floors get more and more luxurious. On the ground floor are the helots in accounts keeping track of the piles of money. On the first floor are the punching and verifying rooms. On the second floor are the computer operators. On the third floor are the programmers. On the fourth floor are the analysts. On the fifth floor are the system architects. On the sixth floor are the computer scientists. On the 7th floor are the research fellows. On t
      • by ceoyoyo (59147)

        I once saw the cab of a pickup entirely stuffed full of them....

    • I just got a visual of Osama bin Ladin crouched down in a cave sheepishly holding a punchcard up to a camera and mouthing the words "Fuck you."

  • Robert Fano's password was hunter2 [bash.org]. True* fact.
  • by Anonymous Coward

    "Taunting Messages"... so he was anonymous and did it for the lulz?

  • by Dan East (318230) on Friday January 27, 2012 @10:48PM (#38847823) Homepage Journal

    Back in high school our band performed at EPCOT, and that night, to keep all the kids in their hotel rooms, the chaperones put tape on each door. If a student left their room, then the tape on the outside of the door would be broken loose and they would get in trouble. However there was a fatal flaw. Late that night when we were sneaking around the hotel, we simply removed the tape from a dozen other rooms.

    • Back in high school our band performed at EPCOT, and that night, to keep all the kids in their hotel rooms, the chaperones put tape on each door. If a student left their room, then the tape on the outside of the door would be broken loose and they would get in trouble. However there was a fatal flaw. Late that night when we were sneaking around the hotel, we simply removed the tape from a dozen other rooms.

      An excellent example of how when we pay attention to the obvious, someone else has a different in

  • First keylogger? (Score:5, Interesting)

    by djchristensen (472087) on Saturday January 28, 2012 @01:38AM (#38848329)

    I'm sure not the first time it happened, but while in college in the mid '80s, the computer lab was set up with 68k-based evaluation boards to use for embedded systems programming assignments. The boards had two serial ports, one to the ASCII terminal and another to the Sun server. The boards normally operated in a transparent pass-through mode when they weren't being used, and a hot-key was used to access the board directly.

    We realized that we could easily install code to look for "login:" and "password:" coming from the server and catch the replies and save them in memory. We'd check back towards the end of the day and harvest the results. We were on very good terms with the head of the CS department, so when we told him about our little exploit and proved it with his password, he was more amused than anything else.

    We didn't keep or use any of the passwords, but thinking back on it, it could have been quite lucrative to sell them to a certain group of CS students who were quite prone to cheating. Those were the ones that you could put their assignment printouts together (I worked as a TA for a while) and hold them up to the light to see they were identical except for the variable names. One of them also set fire to the pile of final assignments that had been left on the floor outside a professor's office in a 100+ year old building, figuring if nobody's assignment got turned in, the professor couldn't grade them (yeah, too dumb to realize all those programs were still on the server). That was a very narrowly avoided tragedy. Ah, memories.

    • by audubon (577473)
      At my university during the early '80s, each student's VAX-11/780 username and password both consisted of the student's Social Security number. When exam results were posted on the bulletin board, they were listed by SSN.
    • by mannd (841376)
      On the Dartmouth Time Sharing System GE-200 series computer, I wrote a program that emulated the login using BASIC. I left it running on teletypes for users to login to. When the user hit Enter a control character was printed which turned off the teletype (I forget what control character that was) and the data was saved in a file. This was in 1969. I collected a bunch of user names and passwords just for fun. I think it was a fairly early password stealing program. Hopefully statue of limitations has
  • by Anonymous Coward on Saturday January 28, 2012 @01:57AM (#38848401)

    When I was attending a small techical college which had government contracts, one student got passwords to several research accounts and used them for homework and for the primitive games of the time. He started with guessing simple ones and shoulder surfing. After a couple of catch-and-release sequences, he seemed to self-destruct. He started running CPU and memory intensive do-nothing programs to deliberately tie up the computer. He was finally arrested, expelled, tried, convicted, and jailed.
    He was sure proud he could do it. He was sure resentful that computer time wasn't free.

  • A while back I was curious about the origin of the customary way of logging in by first entering a user ID/name, then entering in your password. Where was this first done? Why that order? Why not ask for the password first, or ask for only the password? Maybe it used to be done differently? I knew of Multics, and thought there might be older OSes. A bit of searching turned up CTSS, and the source code. I looked at enough of the CTSS source to see that it did the login 2 step we all know.

    What I'm no

    • by Novus (182265)

      The problem with using only passwords to log in is that you then have to prevent users from having the same password. This can lead to serious security implications as discussed in this article [thedailywtf.com].

      • This is not a technically hard problem. The way they did it in that story you linked was terrible. Perhaps the simplest way to solve it is to have the system generate part or all of every password, instead of letting (or making?) users create their own passwords. Naturally, the system is programmed to make sure its part is unique.

        However, that solution might not be so good from a social point of view. I thought a half and half approach might work. The user makes their own password, however weak, and

  • To spread the guilt around, Scherr then handed the passwords over to other users. One of them — J.C.R. Licklieder — promptly started logging into the account of the computer lab's director Robert Fano, and leaving 'taunting messages' behind."

    And thus, the first trolling was born.

  • Um, no. J.C.R. Licklider [memex.org].

    I think the submitter copied the typo in the title of this blog [wordpress.com]. But really! It's not like he's some unknown guy.

No man is an island if he's on at least one mailing list.

Working...